Stader's 4 ETH bond requirement for permissionless node operators: A comprehensive analysis

This blog summarizes the detailed risk analysis behind the 4 ETH bond backing Stader's ETHx.

Stader's 4 ETH bond requirement for permissionless node operators: A comprehensive analysis

Introduction

Stader is launching a new ETH liquid staking derivative, ETHx, shortly and permissionless node operators will be the backbone of node operations as detailed in the ETHx Litepaper. For example, a permissionless node operator, including a home staker, will not be required to provide a track record of performance, have a prior reputation, sign a contract etc. in order to run nodes for Stader from day 1.

A permissionless node operator can begin running nodes for Stader by depositing a prescribed amount of ETH that acts as a collateral against poor performance (a “bond”). The bond from the node operator is combined with funds from users that stake through Stader’s ETHx, to make a total deposit of 32 ETH to register and run a validator.

One of the key challenges that permissionless node operators face is a high bond requirement that isn’t capital efficient. This simulation was conducted to determine the right bonding requirements that keeps user’s staked funds safe from any penalties/slashing that might happen due to poor node operator performance.

This simulation was carried out in collaboration with SSV Network, with key contributions received from Fod, Research engineer at SSV. We are also grateful to Stakin and Rated for reviewing and sharing feedback on the methodology and results.

Key Takeaways

Detailed simulation to determine the right bonding requirement, that protects user’s funds, was carried out. Here are the key takeaways:

  • 4 ETH bond sufficient to protect user funds from key tail risks: Simulations done for the worst-case level of validator performance (bottom 20th percentile permissionless node operators from a representative sample set used), coupled with extreme low-probability scenarios of adverse network conditions, show that risk to user funds remains at or below 4 ETH. Adverse conditions considered include:
  1. Inactivity leak of 7 days, considering the highest inactivity leak lasted for 5 days on the medalla testnet. Note, there have been no cases of an inactivity leak on the mainnet.
  2. Isolated slashing event - this is the norm on ETH given slashing events are rare on Ethereum with only 224 all-time slashing events over ~168k epochs with 500k+ active validators on the beacon chain.
  3. Non-isolated slashing event represents the scenario of one of the largest slashing events on ETH, from Feb '21, where 96 validators were slashed in 36 days. Less than 0.1% of the network was slashed.
  • 4 ETH bond also found to be effective protection for user’s rewards from MEV theft
  1. The median value of MEV per block is ~0.046 ETH and in 99% of blocks, MEV reward is below  1.29 ETH. The 4 ETH bond leaves enough room to not only recover lost reward but also apply penalties (exceeding rewards stolen) that acts as a deterrent to MEV theft
  2. Given this, even if a very large proportion (30%) of permissionless node operators steal MEV rewards, recovery through the 4 ETH bond can ensure that ~94% of MEV rewards are still in-tact for users. Even in the absolute worst case scenario of 100% of all permissionless node operators stealing MEV, ~80% of MEV rewards will still be in-tact for users.
  3. Further protection from a higher bond, such as 8 ETH, was found to be minimal (ranging between 0.02% to 0.06%).

Approach

In order to find the right bonding requirements for permissionless operators, it's important to clearly outline the factors that can affect user’s staked funds and then simulate how they are affected under these conditions. For a brief overview of ETH’s rewards, penalties and slashing mechanism refer to Appendix A.

Risk Assessment

Firstly, a user’s staked funds on Ethereum are subject to the risk of being penalized or slashed or both. The severity of these risks is dependent on 3 key factors:

  1. Validator performance
  2. Network conditions
  3. Infrastructure

For the above factors, the following conditions have been chosen with the objective of finding an aggressive estimate of the risk to user funds:

  • Validator performance: Cohort of permissionless node operators that represent a worst case scenario for ETHx have been considered for the simulation. To achieve this, the bottom 20th percentile node operators from a representative sample set have been chosen. (Referred to as “Permissionless node operators - bottom performers”)
  • Network conditions:
  1. Inactivity leak of 7 days, considering the highest inactivity leak lasted for 5 days on the medalla testnet. Note, there have been no cases of an inactivity leak on the mainnet.
  2. Isolated slashing event, this is the norm on ETH given slashing events are rare on Ethereum with only 224 all-time slashing events over ~168k epochs with 500k+ active validators on the beacon chain.
  3. Non-isolated slashing event represents the scenario of one of the largest slashing events on ETH, from Feb '21, where 96 validators were slashed in 36 days. Less than 0.1% of the network was slashed.
  • Infrastructure: Non-DVT versus DVT infrastructure to highlight the potential improvements in a DVT-set up. Not only is the probability of occurrence for the above network conditions very low, the probability of these occurring simultaneously is even closer to zero. When these scenarios play out in a DVT system, the probability of occurrence is nearly zero.

Simulation Results: 4 ETH covers key tail risks

Based on the above, detailed simulations were run for all key scenarios outlined above, with the validator’s performance at the level of the cohort “Permissionless node operators - bottom performers” identified above. Our simulation leads to the conclusion that 4ETH bonding requirement is sufficient to cover key tail risks. Further key takeaways and assumptions are summarized below.

  1. In scenarios #1 and #2, a validator operating in a DVT network will leverage the efficiencies of fault-tolerance by achieving higher uptime, and consequently incurs lower penalties.
  2. In scenarios #3 through #6, the bonding requirements with DVT listed should be seen as extremely conservative as the DVT validator is assumed to be slashed even though DVT significantly reduces the probability of the slashing event occurring to nearly zero. In scenario #6, since we are assuming the DVT validator is slashed, the DVT validator will also incur the same inactivity leak penalties as the non-DVT network since a slashed validator is considered to be offline.
  3. Given the Shanghai Upgrade is expected to launch in March 2023, a 180 day window for force-exiting validators provides a sufficient buffer for any delays in the Shanghai upgrade or from the exit queue being long.
  4. Execution layer rewards were excluded (MEV & priority fees) to provide a conservative view

For more on the assumptions, key considerations and the simulation code, refer to Appendix B.

4 ETH bond: Effective protection against MEV theft

ETH staking also generates rewards on the execution layer in the form of MEV and priority fees that accrue to the block proposer. MEV or “maximal extractable value” is the reward earned by including, excluding and re-ordering the transactions in a block. Today, it is possible for a node operator to attempt to withhold or conceal MEV rewards from ETHx holders, either fully or partially, leading to “MEV theft”.

The 4ETH bond will also act as an effective mitigation mechanism against MEV theft and hence, it's important to understand the degree of protection offered by the bond. It is important to note, MEV theft does not affect user’s staked funds i.e, the staked ETH balance is safe, but instead will lead to lower rewards earned by ETHx stakers.

There are a few key ways node operators can attempt to deny MEV rewards to users, such as changing/bypassing designated addresses for receiving MEV, hiding MEV, running their own searchers. For a brief overview of these possibilities, refer to Appendix C.

As detailed in Appendix D, Stader will have comprehensive activity systems that help proactively detect any theft, assess implications and intervene to protect users’ MEV rewards, with mitigation measures that could range from penalties to force exiting the node operator in extreme cases. Below, we will focus on how the 4 ETH bond acts as effective mitigation by looking at the typical level of MEV, and how penalties that can eat into the bond can protect user’s rewards.

Based on a detailed study of MEV rewards for validators over a 3 month window, the 4 ETH bond materially protects users’ share of MEV rewards. The key details are summarized below:

  1. The median value of MEV per block is ~0.046 ETH and in 99% of blocks, MEV reward is below  1.29 ETH. The 4 ETH bond leaves enough room to not only recover lost reward but also apply penalties (exceeding rewards stolen) that acts as a deterrent to MEV theft
  2. Given this, even if a very large proportion (30%) of permissionless node operators steal MEV rewards, recovery through the 4 ETH bond can ensure that ~94% of MEV rewards are still in-tact for users. Even in the absolute worst case scenario of 100% of all permissionless node operators stealing MEV, ~80% of MEV rewards will still be in-tact for users.

3.  Further protection from a higher bonding requirement, such as 8 ETH, was minimal (ranging between 0.02% to 0.06%). For more details, refer to Appendix E.

The protection from the bond is only as effective as the ability to detect cases of MEV theft and Stader will have a strong monitoring mechanism, developed with the leading players for MEV theft detection in the ETH ecosystem, to identify any instances in a timely fashion. Monitoring mechanism will cover cases including fee recipient change (to be read from the beacon chain daily), suboptimal MEV rewards (identified in comparison with MEV boost APIs and to be used once the APIs are found to be stable) and more.

Conclusion

Stader’s ETHx, with its 4 ETH bond, will usher in the next wave of permissionless stakers to participate in ETH staking by meaningfully lowering capital required to participate and improving capital efficiency. The detailed simulations summarized in this blog show that it’s possible to achieve this lower bonding requirement for permissionless node operators while fully protecting user funds from all key tail risks.

We would love to hear thoughts, comments and opinions from the community. Dive-in to the discussion and tell us what you think: https://forum.staderlabs.com/t/risk-assessment-of-the-bonding-requirement-to-enable-permissionless-node-operators-on-ethx/381

To stay up to date with what we are building, follow us on our socials: Twitter | Telegram | Discord or sign up here to join the ETHx mailing list and be the first to know all the alpha on the upcoming launch.

Appendix

A) A brief overview of ETH’s rewards, penalties & slashing mechanism

A user’s base return on staked assets is influenced by the net effect of rewards, penalties and slashing , if relevant, of a validator. On Ethereum, the rewards, penalties and slashing are of the following types:

  • Rewards:
  1. Attestation Rewards: Rewards for making timely and correct attestations
  2. Block Proposal Rewards: Rewards earned for proposing beacon chain blocks
  3. Sync Committee Rewards: Rewards earned for performing sync committee duties
  4. MEV & Tips: MEV is the value obtained from changing the sequence of transactions inside a block and tips earned for prioritizing transactions in a block.
  • Attestation Penalties: Arising from missed, late or incorrect attestations by the validator.
  • Sync Committee Penalties: Arising from non-performance of Sync Committee duties (Incorrect or missed)
  • No explicit penalties apply to block proposers
  • Inactivity Penalties: Triggered when the beacon chain enters an emergency state known as an “inactivity leak” on account of non-finalization of a checkpoint for longer than 4 epochs. This is caused when one-third of the validators go offline. An inactivity penalty based on their individual inactivity scores are incurred.
  • Slashing: Triggered when validators break specific protocol rules. There are 3 components that determine the impact of slashing
  1. The initial penalty: When a validator is slashed, an initial penalty of 1 ETH is deducted. A slashed validator is also queued for exit with the withdrawability epoch set to 36 days. Isolated incidents can be costly but not damaging to the validator’s balance.
  2. Correlation Penalty: Penalties are scaled depending on the number of validators slashed within a 36 day window. If the balance of slashed validators is >30% of the total balance of all validators in a 36-day window, the correlation penalty will wipe out the entire balance of the validator. The intention is to heavily scale punishment incase of a targeted attack on the network.
  3. Additional Penalties for missed attestations: A slashed validator continues to receive penalties for missed attestations until the validator is exited at the end of 36 days.

B) Simulation assumptions and key considerations

  1. Base reward per increment
  2. Performance Metrics for Permissionless node operators - bottom performers
  3. Performance Metrics for Permissionless node operators - Bottom Performers in a DVT Network
  4. Penalties and Inactivity Leak
  5. Slashing
  6. Attestor & Sync Committee Rewards

Simulation code

  1. Normal Network conditions (Non-DVT)
  2. Normal network conditions (DVT Infra)
  1. Inactivity Leak for 7 days (Non-DVT Infra)
  2. Inactivity leak for 7 days (DVT Infra)
  1. Isolated slashing event without inactivity leak
  2. Isolated slashing event with inactivity leak for 7 days
  1. Non-Isolated slashing without inactivity leak
  2. Non-Isolated slashing with inactivity leak 7 days

C) Potential ways for node operators to commit MEV theft

There are multiple ways a Node Operator can commit MEV theft, these broadly fall under three buckets:

  • Bypassing the designated rewards distribution address
  1. The designated fee recipient address for ETHx will be a Stader smart contract address that receives execution layer rewards and distributes the same between node operators and users
  2. A validator has full control to change the fee recipient address up to the point of actual receipt of MEV rewards on the execution layer thereby avoiding the fair sharing of rewards.
  • Hiding MEV:
  1. The validator can propose a block which contains a value lower than the “real value of MEV”. By colluding with block builders or relays, the validator may accept side-channel payments for the balance amount
  • Validators run searchers themselves and build their own blocks leading to the inability to effectively detect theft. Even though the investments required to do this are capital intensive, unless there is an implementation of proposer-builder separation, this will also remain as an option to commit theft.

D) MEV theft detection mechanism

The  effectiveness of any recovery and deterrence mechanism lies in the ability to detect the event of MEV theft and ascertain the amount of MEV stolen with certainty.

Stader will deploy a robust detection mechanism:

  1. Daily on-chain monitoring to detect changes to the fee recipient at a block level. An on-chain oracle will be used to retrieve data from the beacon chain on a consistent basis to cover all cases where the final payment of MEV rewards was made to an address other than the one designated for rewards distribution.
  2. Mandate the use of MEV Boost to allow nuanced monitoring and tracking of the "real value" of MEV. Allows ETHx to harness the benefits of proposer-builder separation till such time this is enabled as part of ETH’s design. Gives way for open and transparent block-building with the ability to monitor the value of public bids placed by builders with respect to a particular block. Close monitoring of validator behaviour over time helps establish a pattern of theft with certainty.
  3. Continuously evolve monitoring and detection methods. As the mechanisms to detect and monitor MEV theft evolve, Stader will work with partners in the ecosystem until all instances of theft can be detected.

MEV theft mitigation measures

  • The threshold penalty of 1 ETH sufficiently covers 7x of the average MEV per block (0.13 ETH), and 21x of the median MEV per block (0.046 ETH), acting as a strong deterrent as a validator would stand to incur a net loss on stealing the MEV reward. The proposed penalty mechanism is as below:
  1. Maximum of the cumulative value of MEV stolen or 1 ETH to be recovered from the 4 ETH bond
  2. 1-strike leeway from applicable penalties to allow for misconfiguration errors of the fee recipient address
  • Ability to force exit validators via pre-signed messages becoming available as an option post the upcoming Shanghai upgrade, there will be further deterrence to such short-term behavior given the opportunity costs.
  • Use of DAO governed process to penalize validators who display a pattern of theft and allowing for retroactive action to be taken as detection mechanisms evolve.

E) Risk simulation of MEV Theft to share of user rewards

As covered earlier, non-sharing of MEV rewards/priority fees by node operators will not affect the user's staked balance but it is a possible risk to execution layer rewards. Given ETHx design will have recourse to the node operator bond for MEV theft cases, the expected potential loss of user rewards could come from tail cases of daily MEV > bond requirement.

The value of MEV rewards per block in more than 99% of cases is below 1.29 ETH, with the median MEV per block being as low as 0.046 ETH ensuring that the 4 ETH bond provides more than sufficient protection to user’s share of rewards. In order to assess the impact of MEV theft in edge cases, we have conducted 2 sets of analysis:

  1. Analysis 1:  The extent of protection of user’s share of rewards, provided by the 4 ETH bond, when the value of MEV theft > 4 ETH
  2. Analysis 2: The significance of the difference in potential loss of user’s share of rewards, when the bond is doubled to 8 ETH

Analysis 1

The below analysis estimates the extent of user rewards protection provided by the 4 ETH bond considering the impact of cases where the daily value of MEV rewards > 4 ETH, assuming 3 levels of theft by node operators: 30%, 50% and 100%.

From the below analysis, we can see that the 4 ETH bond will protect 94% of user rewards assuming 30% of operators steal MEV rewards > 4 ETH. Even in the worst-case scenario of 100% of node operators stealing MEV, 79% of user rewards are still protected.

Note:

  • MEV as a perc. of staked ETH is calculated as annualized total MEV rewards per validator by total staked ETH which is currently at ~1% (Source: https://ultrasound.money/)
  • % MEV rewards lost is calculated as follows:
  1. First, we considered the actual daily MEV rewards earned by participating validators, where the daily MEV rewards earned > 4 ETH (Bond amount). The analysis was performed on the basis of data from Flashbots’ MEV Boost Relay  for 3 months (Sep to Nov’22).
  2. Next, the MEV rewards lost was calculated at a validator level as MEV rewards earned less 4 ETH
  3. Perc MEV rewards lost is arrived at by dividing the MEV rewards lost as calculated in step (b) by the Total MEV rewards earned in the same period and multiplying the same by different levels of MEV theft i.e., 30%, 50% and 100% respectively
  • % MEV Protected is calculated as 1 minus % MEV rewards lost

Analysis 2

Stolen MEV can potentially lead to a loss of user’s share of rewards on staked ETH. In order to test whether a higher bond reduces this loss significantly, the below analysis considers 2 options:

  1. 4 ETH: Bonding requirement identified as sufficient to protect user’s staked ETH
  2. 8 ETH: 2x the 4 ETH bond, to test if the potential loss from MEV theft is significantly mitigated

Simulation conditions:

  1. 30% of validators commit MEV theft
  2. 3 levels of MEV rewards as a percentage of staked assets: 1%, 2% and 3%

It was observed that the difference in %Loss of User Rewards on staked ETH on account of MEV theft between a 4ETH bond versus an 8 ETH bond was minimal (ranging between 0.02% to 0.06%); across varying levels of MEV rewards (1% to 3%).

Note:

  • MEV as % of staked ETH is calculated as annualized total MEV rewards per validator by total staked ETH which is currently at ~1% (Source: https://ultrasound.money/)
  • % MEV loss is calculated as follows:
  1. First, we considered the actual daily MEV rewards earned by participating validators, where the daily MEV rewards earned > 4 ETH and 8 ETH respectively (Bond amount). The analysis was performed on the basis of data from Flashbots’ MEV Boost Relay  for 3 months (Sep to Nov).
  2. Next, the MEV loss was calculated at a validator level as MEV rewards earned less 4 ETH and 8 ETH respectively
  3. Perc MEV loss is arrived at by dividing the MEV loss as calculated in step (b) by the Total MEV rewards earned in the same period and multiplying the same by the assumed level of MEV theft of 30%
  • % Yield Loss to user is calculated as MEV as a % of staked assets multiplied by % MEV loss